This question came from our site for professional and enthusiast programmers.

1

Don't have time for a full answer, but put the users in an access group, then assign file permissions to only that group. Also, should be using at least HTTP Digest, Win Integrated would be better. Basic sends passwords in clear text, easily scooped up be nefarious people.
–
Chris SDec 11 '11 at 15:28

"You can control which users and computers are allowed to access your Web server and its resources. You can use both NTFS and Internet Information Services (IIS) security features, such as Web permissions and IP address restrictions, to specific access rights to Web sites, directories, and files."

For IIS version 7 and higher: open the IIS Manager, select application or folder, activate .NET Authorization Rules, edit rules.
Use the following link to read more about ASP.NET Web Application Security